Documentation
v0.5.0Everything to install fya, scan your app, and wire it into CI.
--i-am-authorized.Installation
fya needs Python 3.9 or newer. The core install pulls only requests and rich.
pip install fya
pip install "fya[apk]" # Android APK manifest analysis
pip install "fya[browser]" # headless-browser crawler for SPAsFrom a clone, with the test tooling:
git clone https://github.com/ayam04/fya
cd fya
pip install -e ".[dev]"What's new
16 new attack techniques and a codebase-wide bug sweep
- New web checks: client-side JS secret exposure, exposed source maps, dumpable .git/.svn/.hg/.bzr repos, exposed config and credential files, directory listing, and advanced CORS bypasses (null origin, prefix/suffix match bugs).
- New injection and SSRF checks: signature-based SSRF (cloud metadata and file://), MongoDB-style NoSQL injection, and XPath/LDAP/SSI injection.
- New header checks: unkeyed forwarded-header cache poisoning, X-Original-URL/X-Rewrite-URL access-control bypass, missing COOP/CORP/Permissions-Policy, and cookie prefix and scope misuse.
- New GraphQL hardening check: field-suggestion leakage, query batching, and GET/CSRF execution.
- New mobile and source checks: insecure WebView JavaScript bridge, unverified App Links, weak custom-permission guards, and dangerous GitHub Actions workflow patterns (pwn-request and script injection).
- Fixed 15 bugs found by an adversarial audit, including a CLI crash on malformed ports, false-positive sensitive-file detection, missed form-target and CDN-versioned library discovery, and two external-tool integrations (nikto, testssl) that silently never fired.
Black, gray, and white-box test strategies
- New black-box mode: input fuzzing and robustness. Malformed, oversized, wrong-type, unicode, null-byte, and format-string payloads that surface crashes and leaked stack traces.
- New gray-box mode: IDOR detection and auth-bypass probing of protected routes.
- New white-box mode: point fya at a source directory. Scans for hardcoded secrets and risky sinks (eval, exec, shell=True, pickle, disabled TLS verification), and folds in semgrep or bandit when installed.
- Reports now group findings by test strategy, in the console, HTML, and Markdown.
- Load, stress, and network-chaos testing are deliberately excluded. They are denial-of-service shaped. Use k6, Locust, or Toxiproxy for those.
Quickstart
Point fya at a local server or an APK. Localhost needs no authorization flag.
fya scan http://127.0.0.1:8000
fya scan ./app-release.apk
fya scan http://127.0.0.1:8000 -o report.html # shareable report
fya scan http://127.0.0.1:8000 --fail-on high # exit non-zero in CI
fya tools # list detectable external toolsTry it against the bundled deliberately-vulnerable app in the repo:
python examples/vulnerable_app.py # starts on http://127.0.0.1:5001
fya scan http://127.0.0.1:5001 --mode full -o report.htmlThe Claude skill
Prefer to stay in Claude? fya ships as a skill that makes Claude run the same non-destructive scan itself, with no package to install. It confirms you own the target, runs the checks, and reports in the chat.
Install it by copying one folder into your Claude skills directory:
git clone https://github.com/ayam04/fya
cp -r fya/skills/fya ~/.claude/skills/fyaOn Windows the destination is %USERPROFILE%\.claude\skills\fya. Then just ask Claude:
scan http://localhost:3000 for vulnerabilities
check ./app-release.apk for security issuesClaude confirms the target and authorization, picks a mode and profile, runs the OWASP-mapped checks, and applies the same false-positive discipline as the CLI. It is fully agentic: it drives the probes with its own tools, so it works even where the package is not installed.
Targets
fya detects the target automatically. A path ending in .apk (or any zip containing an AndroidManifest) is analyzed statically. A local directory is treated as source and analyzed white-box. Anything else is a web target; a bare host defaults to http for localhost and private addresses and https otherwise.
fya scan http://127.0.0.1:8000 # web target
fya scan ./app-release.apk # android package
fya scan ./my-service # source directory, white-boxScan modes
A mode selects which family of checks runs. Pick one with --mode, refine with --only and --skip, or choose from a menu with --interactive. List them with fya modes.
| Mode | What it runs |
|---|---|
| auto | Everything that applies to the detected target. The default. |
| recon | Passive, read-only reconnaissance. |
| web | Web app: headers, TLS, active web checks, and API. |
| api | API surface plus supporting web checks. |
| mobile | Android APK static analysis. |
| blackbox | No internals: input fuzzing and robustness plus outside-in web checks. |
| graybox | Partial knowledge: IDOR, auth bypass, and API contract probing. |
| whitebox | Source access: static analysis of a code directory. |
| full | Everything, aggressive, including external tool handoff. |
Profiles
A profile sets how hard fya probes, independent of the mode. Request pacing adapts automatically and slows down on errors, timeouts, and slow responses. fya never floods a target or runs denial-of-service payloads.
| Profile | Behavior |
|---|---|
| passive | Read-only. Headers, TLS, cookies, disclosure, fingerprinting. |
| safe | Non-destructive active probes. Reflection, error signatures, CORS. The default. |
| aggressive | Heavier probing and external-tool handoff. Still non-destructive. |
Authentication and scope
Scan behind a login, and keep the scan inside a boundary with scope and budget controls.
# authenticated
fya scan https://staging.example.com --i-am-authorized \
-H "Authorization: Bearer $TOKEN"
fya scan http://127.0.0.1:8000 --cookie "session=abc123"
# scope and budget
fya scan http://127.0.0.1:8000 --include '/app' --exclude '/logout'
fya scan http://127.0.0.1:8000 --max-requests 500
# render JS and single-page apps (needs the [browser] extra)
fya scan http://127.0.0.1:8000 --spaBaseline and CI
Record the findings you have accepted, then fail the build only on new ones.
fya scan http://127.0.0.1:8000 --write-baseline .fya-baseline.json
fya scan http://127.0.0.1:8000 --baseline .fya-baseline.json --fail-on highReports
Format is inferred from the -o extension, or set it with --format. Use --fail-on to return a non-zero exit code.
| Format | Use it for |
|---|---|
| console | The default. A colored summary table in your terminal. |
| json | Machine-readable output for pipelines and dashboards. |
| sarif | Upload to GitHub code scanning. Includes fingerprints for de-duplication. |
| markdown | Drop into issues, wikis, or pull requests. |
| html | A self-contained, shareable page. |
Checks catalog
58 checks across thirteen areas, each mapped to the OWASP Top 10 or MASVS and a CWE. Every check runs only at or above its minimum profile.
Web passive
min profile: passiveWeb active
min profile: safeWeb advanced
min profile: safe / aggressiveWeb secrets & files
min profile: safeWeb SSRF & injection
min profile: safeWeb hardening
min profile: passiveBlack box
min profile: safeGray box
min profile: safeWhite box (source)
min profile: passive / safeTLS
min profile: passiveAPI
min profile: safeAPK static
min profile: passiveIntegrations
min profile: aggressiveExternal tools
If any of these are on your PATH, fya runs them and folds their results into one normalized report. If not, it falls back to built-in checks. Check what is detected with fya tools.
nuclei nikto sqlmap nmap testssl.sh sslyze jadx apkleaks
Docker
The image bundles nmap, so external-tool handoff works out of the box.
docker build -t fya .
docker run --rm --network host fya scan http://127.0.0.1:8000Responsible use
fya performs active security testing. Only scan systems you own or are explicitly authorized in writing to test. Scanning a non-local target requires --i-am-authorized. Scans are non-destructive by default, with no flooding and no denial-of-service payloads. You are responsible for how you use this tool.
Licensing
fya is dual-licensed. It is free for noncommercial and personal use under the PolyForm Noncommercial License 1.0.0, which covers hobby projects, research, education, personal study, and nonprofit or government use.
Commercial use requires a paid license — using fya in, or for, a for-profit company's products, services, or internal operations. To obtain one, contact ayamullahkhan04@gmail.com. Versions before 0.5.0 were released under the MIT License and remain available under those terms.